[ofbiz-framework] branch trunk updated: Improved: Improve ObjectInputStream class

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch trunk updated: Improved: Improve ObjectInputStream class

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 3f60efb  Improved: Improve ObjectInputStream class
3f60efb is described below

commit 3f60efb343a11723aa56c1bc1f5afac3a2f26e9f
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sat May 2 12:32:07 2020 +0200

    Improved: Improve ObjectInputStream class
   
    (OFBIZ-10837)
   
    While working on OFBIZ-11633 I crossed an issue in R18 (not in trunk) where
    objects from org.apache.commons.fileupload (namely DiskFileItem and
    FileItemHeadersImpl) are not serializable.
   
    While at it I decided to handle at the SafeObjectInputStream level
    the "fileItems" case I already crossed with, OFBIZ-11534, in RequestHandler
   
    It has an inconvenient in R18 (not in trunk) where ObjectInputStream can't
    handle a null class (of course) and so return a benign exception in log (only).
   
    I believe it's better to handle these specific cases at the lower possible
    level in all supported branches.
---
 .../main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java   | 4 ++++
 .../base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java     | 4 ++++
 .../src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java | 4 ----
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
index 2aebcde..d50cfbf 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
@@ -64,6 +64,10 @@ public final class SafeObjectInputStream extends ObjectInputStream {
     @Override
     protected Class<?> resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException {
         if (!whitelistPattern.matcher(classDesc.getName()).find()) {
+            // DiskFileItem, FileItemHeadersImpl are not serializable.
+            if (classDesc.getName().contains("org.apache.commons.fileupload")) {
+                return null;
+            }
             Debug.logWarning("***Incompatible class***: "
                     + classDesc.getName()
                     + ". Please see OFBIZ-10837.  Report to dev ML if you use OFBiz without changes. "
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
index 7375574..1950e12 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java
@@ -77,6 +77,10 @@ public final class UtilObject {
         Object obj = null;
         try {
             obj = getObjectException(bytes);
+            // DiskFileItem, FileItemHeadersImpl are not serializable. So SafeObjectInputStream::resolveClass return null
+            if (obj == null) {
+                return null;
+            }
         } catch (ClassNotFoundException | IOException e) {
             Debug.logError(e, MODULE);
         }
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index 84f91e4..6918fcc 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -878,10 +878,6 @@ public class RequestHandler {
             }
         }
         if (reqAttrMap.size() > 0) {
-            // fileItems is not serializable.
-            // It contains a temporary DiskFileItem with a null value than can't be detected by UtilMisc::makeMapSerializable
-            // So it must be removed from reqAttrMap. See OFBIZ-11534
-            reqAttrMap.remove("fileItems");
             byte[] reqAttrMapBytes = UtilObject.getBytes(reqAttrMap);
             if (reqAttrMapBytes != null) {
                 req.getSession().setAttribute("_REQ_ATTR_MAP_", StringUtil.toHexString(reqAttrMapBytes));